The GDPR was the most lobbied law in EU history. DSA: Hold my beer

Autumn, 2010

We are used to rain on All Saints’ Day. Half the leaves litter the floor and the other half cling to their branches until the next big gust of wind. Here comes winter.

On Wednesday we should, but might not, know the outcome of the US Presidential Elections. The prospects this decade for ‘human dignity and human rights, freedom, democracy, equality and the rule of law’ – the EU’s self-professed ‘values’ – hang in the balance. Still more ominously, Trump’s reelection would, as generally expected, effectively dash the already fragile hope of limiting global warming by end of the century to below 3°C compared to preindustrial levels.

Whether or not we know the result on 4 November, no one will be interested in it being exactly one decade since the European Commission announced its GDPR intentions. The official communication was the familiar stock-in-trade of shaded boxes, emboldened text and bullet points guiding the reader through an unexplained hierarchy of content. Fifteen months later, a draft legal act was tabled. Before that, a pre-final text had been strategically leaked to test the market; a pair of lobbyists from Apple and Facebook were spotted in a Brussels café as they pored over the document together circling and highlighting the bits to report to California.

A decade is a long time in digital technology, as the clichés remind us. Yet the 2010 communication does not seem hopelessly dated. It referred to ‘rapid technological developments and globalisation’, it mentioned ‘social networking sites’ and ‘”Cloud computing”’ (the later still meriting inverted commas back then). Otherwise, it essentially rehearsed the pillars and principles of EU data protection law that are now so commonplace that even China is pretending, in its own sinister way, to adopt them. What the document does not grapple with, however, is the notion of power.

Data protection law has only a very basic framework of power, premised as it is on the notion that if you can collect and use data then you are in a position to affect the life of the person to whom the data relates. One of the 150 recitals in the GDPR nods towards such a framework, when it attempts to rule out consent as a legal basis for processing when there is ‘a clear imbalance between the data subject and the controller’. There are some concessions aimed at easing the burden for ‘micro, small and medium enterprises.’ Beyond that, however, data protection rights and obligations apply equally everywhere, from the local dry cleaners to Exxon Mobil, and from 2016 the new digital disruptors would have to fall in line too.

Soon it would become clear that some animals are more equal than others. The digital revolution continued and, around the time the GDPR was being adopted, big tech replaced big oil at the top of the corporate food chain.

‘Diminished beauty, multiplied commonplace’

US big tech is now feeling the heat. Facebook’s head of cybersecurity policy is unable to sleep at night thinking about the 3 November election and his platform’s susceptibility as a target for state-sponsored hacking and as a conduit/ agent for disinformation. Google, subject of the US Department of Justice’s biggest antitrust suit since Microsoft in 1998, is alleged to be ‘the unchallenged gateway’, ‘crippling the competitive process, reducing consumer choice, and stifling innovation…’ forcing ‘countless advertisers’ to ‘pay a toll’ to its search monopolies and consumers to accept its ‘privacy practices’. The attorney generals of just about every state have been conducting antitrust probes into both these companies.

Margrethe Vestager, in a speech last week trailing the Digital Services Act, said, ‘today, a few big platforms… define our public space – and the choices they make affect the way our democracy works,” and ‘we can’t just leave decisions which affect the future of our democracy to be made in the secrecy of a few corporate boardrooms.’ The European Data Protection Supervisor may have been the first EU body to speak in such terms (‘A very small number of giant companies have emerged as effective gatekeepers of the digital content which most people consume’) in March 2018, in a paper on privacy and online manipulation that coincided with the breaking of the Facebook-Cambridge Analytica scandal.

The DSA might well supplant the GDPR as the legislative acronym of the new decade. Unlike the GDPR, it does promise to embody a framework of power. It will concern ‘the very few large online platforms’ whose ‘role as gatekeepers between businesses and consumers, with economic power and control over entire platform ecosystems, makes it all but impossible for rivals or new market entrants to compete.’

‘How it is whirled about/ Wherever the orbit of the moon can reach…’

Lobbying around the GDPR was fierce and unprecedented. It took over two years and three months and 3999 amendments – plenty of them helpfully drafted by corporate lobbyists – for the European Parliament to settle on its preferred text in March 2014. It took another two years and three months before the law was finalised and adopted. Among the scaremongering that accompanied this frenzy of legal drafting were ‘studies’ purporting, for instance, that the GDPR would result in loss of 3.9% of the EU’s GDP (h/t @PaulNemitz). (Now the same consultancy has published a study, paid for by Google, which warns the EU will lose a mere 0.45% of GDP as a result of the DSA, which is very reassuring.)

These companies are shapeshifters par excellence. They employ thousands of lobbyists and lawyers on terms too generous for any taxpayer-funded regulator to compete with. They oppose regulation unless they are able to co-draft it themselves, or unless its prospect is so fanciful (e.g. Zuckerberg’s call in March 2019 for ‘smart global regulation’ of the internet) that it can be safely advocated without risk it will ever happen. When a lawmaker actually manages to pass regulation, all attempts at enforcement are contested in the courts, further depleting the resources and morale of authorities already routinely vilified for being timid and lugubrious in the exercise of their powers.

‘Much boisterous courage’

Since the summer, Google (market cap $1.032 trillion) has appealed the €600k fine that Belgium’s DPA (annual budget €6m) had dared to impose for violation of the GDPR’s right to be forgotten. Facebook meanwhile successfully applied to the Irish court to suspend the investigation (concerning a complaint already four years old) by the Irish DPA into its use of Standard Contractual Clauses in the light of the European Court of Justice’s judgment in July in Schrems II . It simultaneously appeared to leak a story to the Wall Street Journal while launching a PR assault headed by Nick Clegg protesting that it was only trying to help small businesses in Europe. Last year, the majority decision of the Federal Trade Commission justified its $5 billion settlement with Facebook (a settlement agreed with the party, not a fine imposed) on grounds of its hypothetical question ‘Is the relief we would obtain through this settlement equal to or better than what we could reasonably obtain through litigation?’

Democracies are thus confronted with monopolies who deny that they are monopolies but insist that they are providing an indispensable service to people who nevertheless are only ‘one click away’ from using an alternative service provider if they choose. The Chernobyl-like stability of this proposition is finally at imminent risk of collapsing under the weight of its own contradictions. 

‘Whereat the living mock’

These companies now like to talk about ethics. Ethics and AI. Ethics and operating in China. Ethics implies integrity, which implies your words hew reasonably closely to your actions. Within these companies lie mighty chasms between preaching and practice. Silicon Valley corporate culture is intensely secretive. Their PR machines and privacy dashboards have a soothing bedside purr that belies the aggressive resistance to regulation and enforcement. Obfuscate and deflect (argue that the enforcer lacks jurisdiction), defer and buy time to adjust business practices smoothly, a luxury not available to most companies. Plead to be acting in public interest – when in fact the only mandate is to maximize shareholder value. Groom and charm the policy makers, batter the regulators that dare to charge with a violation.

When a private company becomes so powerful it can stymie or shape the laws that seek to constrain it, and then deploy its lawyerly heft to slow the wheels of enforcement so they grind so finely a harmful business model can remain intact, then it is not only democracy at stake, but the rule of law itself.

[Quotations are taken from W. B. Yeats’s ‘All Souls’ Night’, written in Autumn 1920]